V-206376
SV-206376r960963_rule
CAT II
The web server must not be a proxy server.
From: Web Server Security Requirements Guide (V4R4)
Description
<VulnDiscussion>A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the web server documentation and deployed configuration to determine if the web server is also a proxy server.
If the web server is also acting as a proxy server, this is a finding.
Fix Text
Uninstall any proxy services, modules, and libraries that are used by the web server to act as a proxy server.
Verify all configuration changes are made to assure the web server is no longer acting as a proxy server in any manner.
CCI Reference
CCI-000381- Created
- 2026-04-07 20:08:40
- Last Updated
- 2026-04-07 20:08:40